A New Malware BadSpace Targets Users with Malicious Links

Advisory ID: NCC-CSIRT-251024-011

Summary: 

A new malware family named BadSpace, also known as WarmCookie, has been actively distributed through malspam and Malvertising campaigns. The malware facilitates persistent access to compromised networks and has been observed as an initial payload, often leading to the deployment of additional malware such as CSharp-Streamer-RAT and Cobalt Strike.

Damage/Probability: CRTICAL/HIGH

Platform(s): Online banking services, social media sites, and emails

Description: 

BadSpace campaigns use a variety of lure themes, such as job offers or invoices, to entice victims into clicking malicious links. These campaigns frequently deliver WarmCookie via email attachments or embedded hyperlinks that initiate the infection process.

According to Cisco Talos’s findings, BadSpace’s infection chain typically starts with malicious JavaScript downloaders delivered through either malspam or Malvertising. Once executed, these scripts retrieve the WarmCookie payload, allowing the attackers to maintain persistent access within the compromised environment. The latest samples observed show that the malware is evolving, with updates to its persistence mechanism, command structure and sandbox detection capabilities. Several changes to the command and control (C2) commands supported by the malware have also been made in the latest BadSpace samples analyzed. The command to remove persistence and the malware itself has been deleted. New commands have been added.

Consequences: 

The malware offers extensive functionality, including command execution, screenshot capture and payload deployment, making it a valuable tool for maintaining long-term control of compromised systems.

Solution: 

To mitigate this threat, you are advise to carry out the following:

• Avoid opening unexpected email attachments and use email filters to block malicious files.
• Restrict software downloads to reputable sites and use security measures to prevent risky downloads.
• Deploy ad-blocking tools and keep browsers updated to avoid drive-by downloads from compromised ads.
• Educate employees about social engineering tactics to prevent them from falling victim to psychological manipulation.ork segmentation and access controls.

References:

• https://blog.talosintelligence.com/warmcookie-analysis/

• https://www.infosecurity-magazine.com/news/malware-warmcookie-users-malicious/

• https://malwaretips.com/blogs/warmcookie/to-adapt-and-survive